Flash-based XSS – ExternalInterface.call()

In this section, I'll explain decompiling and exploiting Flash files for XSS. We will cover one commonly found XSS vector in Flash files that is user-supplied input reaching the ExternalInterface.call() function without proper filtering.

What is this ExternalInterface.call() thing, you might wonder. Simply speaking, it's an ActionScript (which complies with Flash) function and acts as a bridge between the Flash file and the JavaScript interface of the browser. The syntax of this function is as follows:

ExternalInterface.call("any-javascript-func", "arg");

To execute eval(alert(1)), you should use the following syntax:

ExternalInterface.call("eval", "alert(1)");

The equivalent JS generated would be as follows: ...

Get Mastering Modern Web Penetration Testing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Modern Web Penetration Testing by Prakhar Prasad

Flash-based XSS – ExternalInterface.call()

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly